Bit new to Splunk, but I'm using some of my knowledge of generating reports in Access to graph some information I am pulling down from Cisco Pix firewall. I'm using the Cisco ASA field extractions app plus the Cisco Security app, along with the MaxMind GeoIP app.
What I'm looking to graph is the source country hitting various ports on the outside interface on my Pix. Thus, something like:
sourcetype="cisco_asa" src_ip=* src_ip!=10.* src_ip!=192.168.* src_ip!=172.16.* src_dom="outside" dest_port=* | lookup geoip clientip as src_ip | rename client_country as src_country
If I suffix "| transaction src_country,dest_port", I get something close to what I'm after -- a grouping of events of IPs hitting a single port (my observation shows that these happen in blocks; probably malware targeting a single port across multiple IPs in my netblock). I figure if GeoIP can collapse multiple IPs into their owner countries, I'll then have a distinction of country vs destination port (on my netblock).
I then want to somehow model that in such a way as to determine which country hits which port the most often....I think. Data modeling isn't my specialty, so I know the end result graph won't be a pie chart or anything, but this is where I'm getting confused as to how to best model that kind of data. I think I need additional levels of grouping, or maybe counting, but I'm unsure.
Thoughts?
Btw, if anyone has figured out for SplunkForCiscoSecurity how to get that map to work, I'm all ears. The app targets an ASA, but all I have is a simple pix. No CSA/WSA/IPS setup. Haven't figured out how the map stuff populates, though, so I can't piece that together.